registry  /  @citizenplane/pimp  /  18.9.13

@citizenplane/pimp@18.9.13

⚠ Under review

<div align="center"> <a href="https://pimp.citizenplane.com" target="_blank"> <img alt="orbit-components" src="https://i.imgur.com/ZgJ9Sfq.png" width="100px" /> </a> </div>

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 87 file(s), 2.49 MB of source, external domains: example.com, feathericons.com, images.kiwi.com, ip2c.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/pimp.es.jsView file
13158contains invisible/control Unicode U+202B (right-to-left embedding) "Afghanistan (<U+202B>افغانستان<U+202C><U+200E>)",
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/pimp.es.jsView on unpkg · L13158
dist/pimp.umd.jsView file
Trigger-reachable chain: manifest.main -> dist/pimp.umd.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/pimp.umd.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/pimp.es.js
CriticalTrigger Reachable Dangerous Capabilitydist/pimp.umd.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License